Monday, December 23, 2024
HomeCyber Security NewsMicrosoft Discovered a Vulnerability in macOS That Allow Attackers to Install Malware

Microsoft Discovered a Vulnerability in macOS That Allow Attackers to Install Malware

Published on

SIEM as a Service

The macOS operating system was fixed recently by Apple to eliminate a vulnerability found and reported by the principal security researcher of Microsoft, it could be exploited by attackers to install malware.

Untrusted applications with the capability of bypassing Gatekeeper application execution restrictions could be used to exploit this vulnerability. This security flaw has been named Achilles and assigned the CVE-2022-42821 designation.

It was on December 13 that Apple addressed the bug and made it available to users with the following versions of macOS:-

- Advertisement - SIEM as a Service
  • macOS13 (Ventura)
  • macOS 12.6.2 (Monterey)
  • macOS 1.7.2 (Big Sur)

Flaw profile

  • CVE ID: CVE-2022-42821
  • Description: It’s a logic issue.
  • CVSS Score: 5.5 
  • Severity: MEDIUM

Gatekeeper Security Bypassing

Apps downloaded from the Internet are automatically checked by Gatekeeper on macOS. When the app can’t be trusted, the user is prompted to confirm or an alert is displayed that the app is untrustworthy before it can be launched.

Gatekeeper on macOS

Gatekeeper has been recognized as one of the most useful and effective security features on macOS as a result of its role as a countermeasure against malware.

It is worth considering, however, that Gatekeeper, in spite of being bulletproof, has been found vulnerable to numerous bypass techniques in the past.

An extension attribute named com.apple.quarantine is associated with all downloaded files in web browsers, very similar to the Mark of the Web in Windows, that identifies files that will be quarantined.

A logic error present in the Access Control List (ACL) can be exploited by specially-crafted payloads to set restrictive permissions on a computer system due to the Achilles flaw. 

As a result, a web browser or internet downloader that downloads a payload archived as a ZIP file will not be able to set the com.apple[.]quarantine attribute.

In the case of an archived malicious payload, the malicious application contained within the archive is launched on the target’s computer as a result. It is through this method that attackers can download and deploy malware instead of being blocked by Gatekeeper.

Gatekeeper Bypass Vulnerabilities

During the last several years, a number of Gatekeeper bypass vulnerabilities were discovered, and the following are some examples:-

  • CVE-2022-22616: Assignment of the quarantine attribute.
  • CVE-2021-1810: Assignment of the quarantine attribute.
  • CVE-2021-30657: Component(s) that enforce policy checks.
  • CVE-2021-30853: Component(s) that enforce policy checks.
  • CVE-2019-8656: Assignment of the quarantine attribute.
  • CVE-2014-8826: Component(s) that enforce policy checks.

A variety of threats and attack capabilities are continually emerging in the threat landscape. Using this rapidly evolving threat scenario, malicious actors are able to gain access to systems and data on a computer system using unpatched vulnerabilities and misconfigurations.

There is no doubt that fake apps remain a significant vector for entry into macOS systems. Gatekeeper bypass techniques are becoming more and more attractive to threat actors, as attacks become more sophisticated, and they are even being considered necessities by malicious actors.

A case like this illustrates the importance of responsible vulnerability disclosures as well as collaboration across different platforms. By doing so, various issues can be addressed effectively, protecting users from potential threats in the future as well as in the present.

Secure Web Gateway – Web Filter Rules, Activity Tracking & Malware Protection – Download Free E-Book

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

PentestGPT – A ChatGPT Powered Automated Penetration Testing Tool

GBHackers come across a new ChatGPT-powered Penetration testing Tool called "PentestGPT" that helps penetration...

Threat Actors Selling Nunu Stealer On Hacker Forums

A new malware variant called Nunu Stealer is making headlines after being advertised on underground hacker...

Siemens UMC Vulnerability Allows Arbitrary Remote Code Execution

A critical vulnerability has been identified in Siemens' User Management Component (UMC), which could...

Foxit PDF Editor Vulnerabilities Allows Remote Code Execution

Foxit Software has issued critical security updates for its widely used PDF solutions, Foxit...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Threat Actors Selling Nunu Stealer On Hacker Forums

A new malware variant called Nunu Stealer is making headlines after being advertised on underground hacker...

Siemens UMC Vulnerability Allows Arbitrary Remote Code Execution

A critical vulnerability has been identified in Siemens' User Management Component (UMC), which could...

Foxit PDF Editor Vulnerabilities Allows Remote Code Execution

Foxit Software has issued critical security updates for its widely used PDF solutions, Foxit...